You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Alok Lal <al...@hortonworks.com> on 2015/06/10 02:54:18 UTC
Review Request 35276: RANGER-533: Hbase plugin: if user does not have
family-level access to any family in a table then user may be
incorrectly
denied access done at table/family level during get or scan. Scan/get done
at column level is working correctly,
so are other operations like put and delete.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35276/
-----------------------------------------------------------
Review request for ranger and Madhan Neethiraj.
Repository: ranger
Description
-------
- Changed code for filter and authorizer.
- Added misc logging to some classes for ease of debugging.
- Log column level audit even when family level access is available.
Diffs
-----
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java cea3e05
hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java e0b652e
hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuditHandler.java bbff6df
hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuditHandlerImpl.java e383614
hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java abf8a33
hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationFilter.java ae61a1e
hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/RangerAuthorizationFilterTest.java 4b49721
Diff: https://reviews.apache.org/r/35276/diff/
Testing
-------
Testing scenario laid out in the apache JIRA.
Thanks,
Alok Lal
Re: Review Request 35276: RANGER-533: Hbase plugin: if user does not
have
family-level access to any family in a table then user may be incorrectly
denied access done at table/family level during get or scan. Scan/get done
at column level is working correctly,
so are other operations like put and delete.
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35276/#review87352
-----------------------------------------------------------
hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
<https://reviews.apache.org/r/35276/#comment139686>
is ANY_ACCESS check necessary? Can the column family be simply marked as 'indeterminate', and have the authorization done at the filter?
hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
<https://reviews.apache.org/r/35276/#comment139688>
When columns are specified for the family, session.isAuthorized() here would the the value of the last column for which authorization was done - line #437. If yes, this code looks incorrect. Please review.
- Madhan Neethiraj
On June 10, 2015, 12:54 a.m., Alok Lal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/35276/
> -----------------------------------------------------------
>
> (Updated June 10, 2015, 12:54 a.m.)
>
>
> Review request for ranger and Madhan Neethiraj.
>
>
> Repository: ranger
>
>
> Description
> -------
>
> - Changed code for filter and authorizer.
> - Added misc logging to some classes for ease of debugging.
> - Log column level audit even when family level access is available.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java cea3e05
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java e0b652e
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuditHandler.java bbff6df
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuditHandlerImpl.java e383614
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java abf8a33
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationFilter.java ae61a1e
> hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/RangerAuthorizationFilterTest.java 4b49721
>
> Diff: https://reviews.apache.org/r/35276/diff/
>
>
> Testing
> -------
>
> Testing scenario laid out in the apache JIRA.
>
>
> Thanks,
>
> Alok Lal
>
>
Re: Review Request 35276: RANGER-533: Hbase plugin: if user does not
have
family-level access to any family in a table then user may be incorrectly
denied access done at table/family level during get or scan. Scan/get done
at column level is working correctly,
so are other operations like put and delete.
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35276/#review87372
-----------------------------------------------------------
Ship it!
Ship It!
- Madhan Neethiraj
On June 10, 2015, 6:35 a.m., Alok Lal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/35276/
> -----------------------------------------------------------
>
> (Updated June 10, 2015, 6:35 a.m.)
>
>
> Review request for ranger and Madhan Neethiraj.
>
>
> Repository: ranger
>
>
> Description
> -------
>
> - Changed code for filter and authorizer.
> - Added misc logging to some classes for ease of debugging.
> - Log column level audit even when family level access is available.
>
>
> Diffs
> -----
>
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java abf8a33
>
> Diff: https://reviews.apache.org/r/35276/diff/
>
>
> Testing
> -------
>
> Testing scenario laid out in the apache JIRA.
>
>
> Thanks,
>
> Alok Lal
>
>
Re: Review Request 35276: RANGER-533: Hbase plugin: if user does not
have
family-level access to any family in a table then user may be incorrectly
denied access done at table/family level during get or scan. Scan/get done
at column level is working correctly,
so are other operations like put and delete.
Posted by Alok Lal <al...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35276/
-----------------------------------------------------------
(Updated June 9, 2015, 11:35 p.m.)
Review request for ranger and Madhan Neethiraj.
Changes
-------
Fixed rework comments and bugs in audit handling.
- hbase acl tests pasded
- Still rerunning xa hbase tests
Repository: ranger
Description
-------
- Changed code for filter and authorizer.
- Added misc logging to some classes for ease of debugging.
- Log column level audit even when family level access is available.
Diffs (updated)
-----
hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java abf8a33
Diff: https://reviews.apache.org/r/35276/diff/
Testing
-------
Testing scenario laid out in the apache JIRA.
Thanks,
Alok Lal
Re: Review Request 35276: RANGER-533: Hbase plugin: if user does not
have
family-level access to any family in a table then user may be incorrectly
denied access done at table/family level during get or scan. Scan/get done
at column level is working correctly,
so are other operations like put and delete.
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35276/#review87363
-----------------------------------------------------------
hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
<https://reviews.apache.org/r/35276/#comment139702>
How doe the filter created here returned to HBase? i.e. how does this filter get applied??
- Madhan Neethiraj
On June 10, 2015, 12:54 a.m., Alok Lal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/35276/
> -----------------------------------------------------------
>
> (Updated June 10, 2015, 12:54 a.m.)
>
>
> Review request for ranger and Madhan Neethiraj.
>
>
> Repository: ranger
>
>
> Description
> -------
>
> - Changed code for filter and authorizer.
> - Added misc logging to some classes for ease of debugging.
> - Log column level audit even when family level access is available.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java cea3e05
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java e0b652e
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuditHandler.java bbff6df
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuditHandlerImpl.java e383614
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java abf8a33
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationFilter.java ae61a1e
> hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/RangerAuthorizationFilterTest.java 4b49721
>
> Diff: https://reviews.apache.org/r/35276/diff/
>
>
> Testing
> -------
>
> Testing scenario laid out in the apache JIRA.
>
>
> Thanks,
>
> Alok Lal
>
>